32-11
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 32 Configuring Management Access
Configuring AAA for System Administrators
• Limiting User CLI and ASDM Access with Management Authorization, page 32-12
• Configuring Command Authorization, page 32-13
• Configuring Management Access Accounting, page 32-22
• Viewing the Current Logged-In User, page 32-23
• Recovering from a Lockout, page 32-24
Configuring Authentication for CLI, ASDM, and enable command Access
If you enable CLI authentication, the adaptive security appliance prompts you for your username and
password to log in. After you enter your information, you have access to user EXEC mode.
To enter privileged EXEC mode, enter the enable command or the login command (if you are using the
local database only).
If you configure enable authentication, the adaptive security appliance prompts you for your username
and password. If you do not configure enable authentication, enter the system enable password when
you enter the enable command (set by the enable password command). However, if you do not use
enable authentication, after you enter the enable command, you are no longer logged in as a particular
user. To maintain your username, use enable authentication.
For authentication using the local database, you can use the login command, which maintains the
username but requires no configuration to turn on authentication.
Note Before the adaptive security appliance can authenticate a Telnet, SSH, or HTTP user, you must first
configure access to the adaptive security appliance. See the “Configuring Device Access for ASDM,
Telnet, or SSH” section on page 32-1. This configuration identifies the IP addresses that are allowed to
communicate with the adaptive security appliance.
Detailed Steps
To configure CLI, ASDM, or enable authentication, perform the following steps:
Step 1 To authenticate users who use the enable command, go to Configuration > Device Management >
Users/AAA > AAA Access > Authentication, and configure the following settings:
a. Check the Enable check box.
b. From the Server Group drop-down list, choose a server group name or the LOCAL database.
c. (Optional) If you chose a AAA server, you can configure the adaptive security appliance to use the
local database as a fallback method if the AAA server is unavailable. Click the Use LOCAL when
server group fails check box. We recommend that you use the same username and password in the
local database as the AAA server because the adaptive security appliance prompt does not give any
indication which method is being used.
Step 2 To authenticate users who access the CLI or ASDM, go to Configuration > Device Management >
Users/AAA > AAA Access > Authentication, and configure the following settings:
a. Check one or more of the following check boxes:
• HTTP/ASDM—Authenticates the ASDM client that accesses the adaptive security appliance using
HTTPS. You only need to configure HTTP authentication if you want to use a AAA server. By
default, ASDM uses the local database for authentication even if you do not configure this
command.